Security issues in computer systems are pervasive and embedded control systems – from smart home appliances, the Internet of Things, to critical infrastructure in factories or power plants – are no different. This blog post summarises a line of research on architectural support for security features in embedded processors, with the potential to substantially raise the bar for attackers.

Security in Embedded Control Systems

Sensing, actuation and network connectivity are the basic building blocks for smart infrastructure. In a smart building, sensors detect human presence, measure air quality or room temperature, and communicate these measurements to control systems that operate lighting, air conditioning or other appliances. In Industrial Control Systems (ICSs) and smart factories, similar sensing setups may detect delays, production faults or hazardous situations, and determine the need for human intervention. Supply chain optimisations or alerts may be triggered in response. A smart car can detect dangerous objects on the road and raise the attention of the driver while triggering similar alerts in nearby cars. A smart city may combine all these scenarios and accumulate, aggregate and evaluate sensor inputs at an un-preceded scale to optimise traffic flow, air quality, noise, power consumption, and many other parameters with the overall aim to facilitate sustainable use of resources and to increase the quality of life for the city’s inhabitants.

With the continuation of the trend to augment appliances and infrastructure
with computerised sensing, actuation and remote connectivity, "smart
environments" imply a range of threats to our security and privacy, and ultimately to our safety. The key amplifier for these threats is connectivity. The use of publicly accessible long-range communications – such as the internet or wireless communication technology – where data in transit may be subject to manipulation by adversaries, lead to an extended attack surface and to the exposure of sensing and control systems to attackers.

Of course, smart environments are insecure. Typicall sensing and control networks are even less secure than our personal computers: Many of these systems were not designed with security in mind, just because they were never meant to be connected to a global communications infrastructure and thereby exposed to attacks. A substantial role is played by legacy systems that were developed and deployed in a time when the idea of making these systems "smart" by permanently connecting them to, e.g., supply-chain management, was technically infeasible and not anticipated. Gonzalez et al. argue that two thirds of ICS vulnerability disclosures had an architectural root cause, while about one third of the vulnerabilities were due to coding defects. The problem is pervasive and control systems across critical domains suffer from vulnerabilities resulting in exploits: Since the Stuxnet incident we understand that industrial equipment can be physically damaged through cyber attacks.

Screenshot of the WannaCry ransomware that infected PCs at a global
scale in 2017, leaving mission-critical data in institutions such as many British
NHS hospitals inaccessible.

With the advent of complex infotainment systems and remote connectivity in automotive vehicles, researchers discovered vulnerabilities that allow attackers to remotely control critical functionality of cars (e.g. Checkoway et al., and Miller and Valasek). And attacks against the Ukrainian power grid, led to pervasive and lasting blackouts during the Russian military intervention around Crimea.

Architectural Threat Mitigations

Our approach to architectural support for security leverages light-weight Trusted Execution Environments (TEEs). Intuitively, we enable the development of secure software by providing hardware extensions that guarantee that a computer will consistently behave in expected ways. Modern Trusted Computing systems provide some form of "enclaved execution" in a TEE, that protects a software, the enclave, from malicious interactions with other software. Ultimately, TEEs
relies on cryptography and provides mechanisms to securely manage and use cryptography in distributed software systems. To date, a range of implementations of this idea exist, which are aimed at different application domains. Maene et. al provide a comprehensive overview of the available technology and its capabilities.

Sancus builds upon the openMSP430, an open-source implementation of Texas Instruments’ MSP430 processor core. The MSP430 and openMSP430 are designed for the Internet of Things and embedded control systems: they are relatively inexpensive low-end devices that feature a very low power consumption. Natively, the device provides little security, which is very common for processors in this domain. Sancus guarantees strong isolation of software modules, which we refer to as Protected Modules (PMs), through low-cost hardware extensions.
Moreover, Sancus provides the means for remote parties to attest the state of, or communicate with, the isolated software modules. Importantly, our implementation of these security features is designed to be small and configurable: Sancus-secured openMSP430 processor cores can be synthesised for a varying number of PMs. The configuration necessarily affects chip size (in gates) and power consumption. Yet, even the biggest (sensible) configuration will still result in a moderately cheap processor (probably below USD 1 per unit) and less than 6% increase in power consumption in active cycles. The Soteria extension of Sancus even allows for offline software protection in low-end embedded devices.

Authentic Execution

Based on TEE primitives in commodity processors and in Sancus, we have developed approaches that provide strong assurance of the secure execution of distributed applications on shared infrastructures, while relying on a small Trusted Computing Base (TCB). Here, "secure execution" means that application modules are protected against a range of attacks that aim to steal secrets from the application, modify the application or tamper with the application’s control flow (notions of confidentiality can easily be implemented on top of authentic execution). These guarantees hold even in the presence of other applications, malware or an untrusted operating system executing on the same (shared) processor. A cryptographic process called remote attestation guarantees that components of a distributed application are mutually assured of the authenticity and integrity of other components of this application, regardless of whether these components execute on the same processor or on a remote site, or even on systems controlled by third parties such as cloud providers.

We build upon and extend security primitives provided by a TEE to guarantee authenticity and integrity properties of applications, and to secure control of input and output devices used by these applications. More specifically, we can guarantee that if such an application produces an output, then this output can always be explained in terms of the application’s source code and the inputs it received. This is fundamentally different from how these applications were built in the past: traditionally, the security of a distributed application would rely on the security of the hardware and an enormous stack of software, including e.g., operating systems, communication stacks, and system libraries, all of which can be seen as attack surface. Authentic execution on TEEs mitigates this by isolating application components, at least with respect to their security properties, from the overall software stack that is required to operate a device and to facilitate communication. This is what we refer to with our claim of containing functionality in a small TCB: The security properties of an application depend on trusting a substantially reduced volume of software. Ideally, this TCB can be reduced to the processing hardware and the core application software. Experiments (see Noorman et al., Van Bulck et al., Mühlberg et al.) show that we are often able to rely on only 1% to 10% of the software volume to implement critical functionality securely.

Demo setup for the VulCAN approach to secure automotive CAN
networks. This demo has two dashboards, illustrating the integration of legacy
car components in a secure environment. One side of the demo will react to
attacks as a conventional, insecure car would do, the other side uses Sancus based software protection and attestation.

The video above shows our most comprehensive demonstrator, a secured vehicular control network. Specifically, we provide a generic design for efficient and standard compliant vehicular message authentication and software component attestation, named VulCAN. This demonstrator is based on the understanding that vehicular control networks, in particular the pervasive (beyond the automotive sector) CAN bus, provide no security mechanisms. Our approach advances the state-of-the-art by not only protecting against network attackers, but also against substantially stronger adversaries capable of arbitrary code execution on participating Electronic Control Units (ECUs). We demonstrate the feasibility and practicality of VulCAN by implementing and evaluating two previously proposed, industry standard-compliant message authentication protocols on top of Sancus. Our results show that strong, hardware-enforced security guarantees can be met with a minimal TCB without violating stringent real-time deadlines under benign conditions.

In our experience, practitioners have
difficulties in understanding how enclaved execution can be
leveraged, in particular in heterogeneous distributed
networks. Over the past six years, our research group has gained significant experience with applications of Sancus and TEEs. To cover gaps in the understanding of these domains amongst software developers "in the wild", we have developed extensive tutorial material that explains how to build secure distributed applications along the lines of the authentic execution idea.

Wrapping Up

Security issues in computer systems are pervasive. So pervasive that media attention, even for attacks that affect millions of users, fades away within a few days. Up till now, most of these attacks have caused little more than financial damage and the compromise of personal data. Yet, recent incidents have shown that with the advent of connected cyber-physical systems, cyber attacks will, to an increasing extent, have physical consequences and can put the population at large at the risk of suffering physical harm, in particular when critical infrastructure is affected. To counter these risks, we must pervasively embrace security in our engineering efforts.

There are technological solutions to provide security for distributed applications such as control systems. In this blog post we summarise our work on open-source TEEs and the Sancus processor, which addresses security in low-end systems. The current incarnation of Sancus, version 2.1, is available on GitHub. We developed a research agenda for security extensions in processors, which leverage open-source concepts for the community to collectively develop a clear understanding of execution semantics and the resulting security implications. Here we envision Sancus to serve as an
open-source research vehicle with limited complexity, which allows to
address micro-architectural vulnerabilities in processors in a principled and step-by-step way. We argue that without such an understanding, regulatory and legal requirements regarding safety and security, but also privacy-related regulations such as the GDPR are hard to satisfy.
Our ongoing research in this field focuses, e.g., on extending Sancus with provably resistant against side-channel attacks such as Nemesis. In a second line of research, we are exploring novel application domains for Trusted Computing technology in the context of distributed mixed-criticality systems with stringent real-time constraints. An up-to-date overview of our research activities and publications is available on the Sancus website.

Importantly, TEEs alone will not solve security: Any secure development process must embrace requirements analysis and threat modelling early to be effective and to advise the choice of appropriate technologies. Moreover, implementing security requires engineers at all levels of a system stack to understand the security implications of their choices of technology, to develop effective communication strategies to inform other levels of their assumptions, requirements and guarantees, and to be ready to adapt to change.

Beyond understanding and using the right technological basis for building secure systems, we believe that there is need for a proactive legislative approach, that combines a careful assessment
of state of the art of protective technologies with a gradual increase of liability for software and
hardware vendors for security and privacy incidents.

Tuesday, May 7, 2019

Today’s Smart City
developments can be summarized as ‘representatives smart’, as opposed to
‘collective-smart’ – one of the terms we propose for describing the future
vision of cyber-human smart cities involving a rich and active interplay of
different stakeholders (primarily citizens, local businesses and authorities),
effectively transforming the currently passive stakeholders into active
ecosystem actors.

Realizing such complex
interplay requires a paradigm shift in how the physical infrastructure and
people will be integrated and how they will interact. At the heart of this
paradigm shift lies the merging of two technology and research domains –
Cyber-physical Systems and Socio-technical Systems – into the value-driven
context of a Smart City. The presented Smart City vision diverges from the
traditional, hierarchical relationship between the society and ICT, in which
the stakeholders are seen as passive users who exclusively capitalize on the
technological advancements. Rather, the architecture we propose puts value
generation at the top of the pyramid and relies on “city capital” to fuel the
generation of novel values and enhancement of traditional ones. This
effectively transforms the role and broadens the involvement and opportunities
of citizen-stakeholders, but also promotes the ICT from passive infrastructure
to an active participant shaping the ecosystem.

Architecture of Values: The fundamental idea
behind a collective-smart city is the inclusion of all its stakeholders
(authorities, businesses, citizens and organizations) in the active management
of the city. This includes not only the management of the city’s
infrastructure, but additionally the management of different societal and
business aspects of everyday life. The scale and complexity of managing
diverging individual stakeholder interests in the past was the principal reason
for adopting a centralized city management model where elected representatives
manage all aspects of the city’s life and development.

However, we believe
that recent technological advances will enable us to share the so-far
centralized decision-making and planning responsibilities directly with various
stakeholders, allowing faster and better-tailored responses of the city to
various stakeholder needs.

The key technological
enabler for this process is the active and wide-scale use and interleaving of
technologies and principles from the IoT and Social Computing domains in the
urban city domain. These technologies form the basic level of the proposed
architecture of values. They allow the city to interact bidirectionally with
the citizens in their everyday living, working and transport environments using
various IoT edge devices and sensors, but also to actively engage citizens and
other stakeholders to perform concrete tasks in the physical world, express
opinions and preferences, and make decisions. The “city” does not need to be an
active part in this interaction. It can serve as a trustworthy mediator
providing the physical and digital infrastructure and accepted coordination
mechanisms facilitating self-organization of citizens into transient, ad hoc
teams with common goals. This synergy, in turn, enables the creation of novel
societal and business values.

Infrastructural values – This category
includes and extends the benefits conventionally associated with the existing
notion of Smart City – those related to the optimized management of shared
(city-wide) infrastructure and resources. Traditionally, the management of such
resources (e.g., transportation network and signalization, internet
infrastructure, electricity grid) has been static and highly centralized. The
new vision of a Smart City relies on the interplay of humans and the
IoT-enabled infrastructure, enabling additional, dynamic, locally scoped
infrastructural optimizations and interventions, e.g., optimization of physical
and IT/digital infrastructure in domains such as computational resources,
traffic or building management. Apart from existing static/planned optimizations
(e.g., static synchronization of traffic lights), the dynamic optimizations of
the infrastructure might include temporary traffic light regime changes when a
car accident is detected.

Societal values – This novel value
category arises through the direct inclusion and empowerment of citizens as key
stakeholders of the city. The fact that through the use of incentivized/paid to
perform specific tasks in both the digital and physical environments is a
powerful concept bringing along a plethora of socially significant changes.

For example, while
most cities function as representative democracies, significant local changes
are often decided upon through direct democracy (referendums, initiatives).
While undeniably fair in principle, one of the biggest obstacles to more
frequent use of direct democracy is the under-informedness of voters. It has
been shown that informing the citizens enables them to make more judicial and
responsible decisions. The pervasiveness of IoT devices enables interaction
with citizens directly and opens up the possibility of informing the citizens
better, or even simulating in practice the outcomes of different election
choices.

Tuesday, April 30, 2019

It has been predicted that by 2050, around two-thirds of the world’s population might be living in urban settlements. To make the cities ready for population expansion and growth, ICT is playing a critical role in the future of urbanisation referred to as ‘Smart City’. It has recently become the hot topic of research as the tech giants such as Google and Microsoft entering the race of real state.

There is no consensus on the exact definition of smart cities, however, any definition would refer to the core concepts of advanced technological infrastructure for urban society with collaborative and interactive human-centred design. An emerging view is that smart cities aim to increase efficiency, sustainability, and improve quality of life for citizen by utilizing technologies to connect every layer of a city, from the air to the streets to underground, to capture and analyse data from various independently-managed and operating infrastructures, utilities and service providers.

The buzz words used by researchers to propose architectural solutions for smart cities include Artificial Intelligence (AI), Internet of Things (IoT), Smart Phones, Cloud-based Services and Big Data. In essence, a smart city is a large-scale cyber-physical complex socio-technical system for an urban population that is comprised of many interconnected subsystems. Examples of these subsystems include transportation, power and water supply, waste management, pollution monitoring, crime detection, video surveillance, emergency response system and other smart community initiatives for e-governance. Typical examples of smart city are Singapore, Dubai, Amsterdam, Barcelona, Stockholm, and New York.

The three core components of a smart city are People, Processes and Technology. Regardless of the type of technology used for smart city implementation, the most emphasised factor is ‘Citizen Engagement’. As pointed out by Bettina Tratz-Ryan, research vice president at Gartner, "The way forward today is a community-driven, bottom-up approach where citizens are an integral part of designing and developing smart cities and not a top-down policy with city leaders focusing on technology platforms alone”.

Smart city design should not only allow the community of citizens to interact directly with the technology but increase their participation in the governance of the cities. However, relatively little research has focused on the complexities and pragmatics of citizen engagement leading to their participation in governance.

There are various stakeholders in the smart city and citizens are only one group of stakeholder. The intention for involving citizens in co-production and the evolution of the smart city is to turn them into a technologically intelligent community where collective human intelligence works in parallel to AI for maximum effectiveness. However, in practice, such form of citizen engagement (to the level of co-governance by society) has yet to be observed in real life examples.

The democratic concept of stakeholder involvement in system design is quite old and well established. Without careful consideration and management, involving stakeholders can cause issues rather than provide benefits. Smart city, being a complex, large-scale, cyber-physical, multi-faceted, multi-layered and socio-technical system, presents new challenges on how to involve and engage the right stakeholder (citizens).

The critical aspect of any smart city project is derived from the political, social and cultural values of the society. The design and infrastructure of a smart city, type of citizen engagement and its evolution will reflect the political system. Examples of such differences can be seen in the citizen engagement by Japan, in the Social Credit System by China, or the bio-microchip implementation by Sweden.

Whether citizen engagement is a democratic initiative (neo-humanist), where the technology is utilised to improve the life and environment of a city, or is it a step towards an increase in controlling the behavioural patterns of the citizens on politically acceptable values inherent in the governance layer of society (functionalist approach) or as simply phrased mass surveillance, the questions regarding citizen engagement such as who will be involved, why, when, how and how much, would all be answered within the political context and the paradigm of governance of a country.

There is a need for further research on various dimensions of citizen engagement not just from purely technological perspectives but also from a social perspective such as political, cultural, and ethical. It is one of the important aspects of smart city and lack of proper citizen engagement and fair representation of citizens from all walks of life can have serious repercussions. Lack of diverse representation can lead to biases in design, that can disadvantage the under-represented or underprivileged groups of citizens. Also, there is a possibility of increasing the digital divide that will impact the less technologically savvy population of cities.

Another crucial issue that requires attention is data protection and privacy. Smart cities capture and manage large amounts of data that is extremely important for their operations. Any data loss will disrupt city operations and will impact citizen’s trust and confidence. Data collected and manipulated by Smart Cities solutions are critically sensitive for citizens, businesses, governmental, and emergency services, etc. To ensure compliance with data protection regulations such as GDPR, smart city architecture must include data protection as a critical requirement and must embed privacy protection in all stages of the data lifecycle.

The Microservice API Patterns at www.microservice-api-patterns.orgdistill proven solutions to recurring service interface design and specification problems such as finding well-fitting service granularities, promoting independence among services, or managing the evolution of a microservice API.

Motivation

It is hard to escape the term microservices these days. Much has been said about this rather advanced approach to system decomposition since James Lewis’ and Martin Fowler’s Microservices Blog Postfrom April 2014. For instance, IEEE Software devoted a magazine article, a two-part Insights interview (part 1, part 2) and even an entire special theme issueto the topic.

Early adopters’ experiences suggest that service design requires particular attention if microservices are supposed to deliver on their promises:

How many service interfaces should be exposed?

Which service cuts let services and their clients deliver user value jointly, but couple them loosely?

How often do services and their clients interact to exchange data? How much and which data should be exchanged?

What are suitable message representation structures, and how do they change throughout service lifecycles?

How to agree on the meaning of message representations – and stick to these contracts in the long run?

The Microservice API Patterns (MAP) at www.microservice-api-patterns.orgcover and organize this design space providing valuable guidance distilled from the experience of API design experts.

What makes service design hard (and interesting)?

An initial microservice API design and implementation for systems with a few API clients often seem easy at first glance. But a lot of interesting problems surface as systems grow larger, evolve, and get new or more clients:

Requirements diversity: The wants and needs of API clients differ from one another, and keep on changing. Providers have to decide whether they offer good-enough compromises or try to satisfy all clients’ requirements individually.

Design mismatches: What backend systems can do and how they are structured, might be different from what clients expect. These differences have to be dealt with during the API design.

Freedom to innovate: The desire to innovate and market dynamics such as competing API providers trying to catch up on each other lead to the need to change and evolve the API. However, publishing an API means giving up some control and thus limiting the freedom to change it.

Risk of change: Introducing changes may result in possibly incompatible evolution strategies going beyond what clients expect and are willing to accept.

Information hiding: Any data exposed in an API can be used by the clients, sometimes in unexpected ways. Poorly designed APIs leak service implementation secrets and let the provider lose its information advantage.

Such conflicting requirements and stakeholder concerns must be balanced at the API design level; here, many design trade-offs can be observed. For instance, data can be transferred in a few calls that carry lots of data back and forth, or alternatively, many chatty, fine-grained interactions can be used. Which choice is better in terms of performance, scalability, bandwidth consumption and evolvability? Should the API design focus on stable and standardized interfaces or rather focus on fast-changing and more specialized interfaces? Should state changes be reported via API calls or event streaming? Should commands and queries be separated?

All of these – and many related – design issues are hard to get right. It is also hard to oversee all relevant consequences of a design decision, for instance regarding trade-offs and interdependencies of different decisions.

Enter Microservice API Patterns (MAP)

Our Microservice API Patterns (MAP)focus – in contrast to existing design heuristics and patterns related to microservices – solely on microservice API design and evolution. The patterns have been mined from numerous public Web APIs as well as many application development and software integration projects the authors and their industry partners have been involved in.

MAP addresses the following questions, which also define several pattern categories:

The structureof messages and the message elements that play critical roles in the design of APIs. What is an adequate number of representation elements for request and response messages? How are these elements structured? How can they be grouped and annotated with supplemental usage information (metadata)?

The impact of message content on the qualityof the API. How can an API provider achieve a certain level of quality of the offered API, while at the same time using its available resources in a cost-effective way? How can the quality tradeoffs be communicated and accounted for?

The responsibilitiesof API operations. Which is the architectural role played by each API endpoint and its operations? How do these roles and the resulting responsibilitiesimpact microservice size and granularity?

API descriptions as a means for API governance and evolutionover time. How to deal with lifecycle management concerns such as support periods and versioning? How to promote backward compatibility and communicate breaking changes?

So far, we have presented ten patterns at EuroPLoP 2017and EuroPLoP 2018; about 35 more candidate patterns are currently being worked on. The published patterns and supporting material are available on the MAP websitethat went live recently. The papers are available via this page.

Sample Patterns for Communicating and Improving Interface Quality

To illustrate MAP a bit further, we summarize five patterns on communicating and improving API qualities below. We also outline their main relationships.

API Key: An API provider needs to identify the communication participant it receives a message from to decide if that message actually originates from a registered, valid customer or some unknown client. A unique, provider-allocated API Keyper client to be included in each request allows the provider to identify and authenticate its clients. This pattern is mainly concerned with the quality attribute security.

Wish List: Performance requirements and bandwidth limitations might dictate a parsimonious conversation between the provider and the client. Providers may offer rather rich data sets in their response messages, but not all clients might need all of this information all the time. A Wish List allows the client to request only the attributes in a response data set that it is interested in. This pattern addresses qualities such as accuracy of the information needed by the consumer, response time, and performance, i.e., the processing power required to answer a request.

Rate Limit: Having identified its clients, an authenticated client could use excessively many resources, thus negatively impacting the service for other clients. To limit such abuse, a Rate Limit can be employed to restrain certain clients. The client can stick to its Rate Limit by avoiding unnecessary calls to the API. This pattern is concerned with the quality attributes of reliability, performance, and economic viability.

Rate Plan: If the service is paid for or follows a freemium model, the provider needs to come up with one or more pricing schemes. The most common variations are a simple flat-rate subscription or a more elaborate consumption-based pricing scheme, explored in the Rate Plan pattern. This pattern mainly addresses the commercialization aspect of an API.

Service Level Agreement: API providers want to deliver high-quality services while at the same time using their available resources economically. The resulting compromise is expressed in a provider’s Service Level Agreement(SLA) by the targeted service level objectives and associated penalties (including reporting procedures). This pattern is concerned with the communication of any quality attribute between API providers and clients. Availability is an example of a quality that is often expressed in such an SLA.

Microservice API Patterns (MAP) is a volunteer project focused on the design and evolution of Microservice APIs. We hope you find the intermediate results of our ongoing efforts useful. They are available at www.microservice-api-patterns.org– we will be glad to hear about your feedback and constructive criticism. We also welcome contributions such as pointers to known uses or war stories in which you have seen some of the patterns in action.

The patterns in MAP aim at sharing timeless knowledge on distributed system APIs. While trends like microservices come and go, the fundamental design problems of exposing remote APIs will not go out of fashion any time soon!